@zenstackhq/language 3.0.0-beta.3 → 3.0.0-beta.4

package/dist/index.js

@@ -5649,6 +5649,7 @@ var AttributeApplicationValidator = class {
       });
     }
   }
+  // TODO: design a way to let plugin register validation
   _checkModelLevelPolicy(attr, accept) {
     const kind = getStringLiteral(attr.args[0]?.value);
     if (!kind) {
@@ -5664,8 +5665,49 @@ var AttributeApplicationValidator = class {
       "delete",
       "all"
     ], attr, accept);
-    this.rejectEncryptedFields(attr, accept);
+    if ((kind === "create" || kind === "all") && attr.args[1]?.value) {
+      this.rejectNonOwnedRelationInExpression(attr.args[1].value, accept);
+    }
+  }
+  rejectNonOwnedRelationInExpression(expr, accept) {
+    const contextModel = AstUtils2.getContainerOfType(expr, isDataModel);
+    if (!contextModel) {
+      return;
+    }
+    if (AstUtils2.streamAst(expr).some((node) => {
+      if (!isDataFieldReference(node)) {
+        return false;
+      }
+      if (node.target.ref?.$container !== contextModel) {
+        return false;
+      }
+      const field = node.target.ref;
+      if (!isRelationshipField(field)) {
+        return false;
+      }
+      if (isAuthOrAuthMemberAccess(node)) {
+        return false;
+      }
+      const startNode = isCollectionPredicate(node.$container) && node.$container.left === node ? node.$container : node;
+      const collectionPredicate = AstUtils2.getContainerOfType(startNode.$container, isCollectionPredicate);
+      if (collectionPredicate && isAuthOrAuthMemberAccess(collectionPredicate.left)) {
+        return false;
+      }
+      const relationAttr = field.attributes.find((attr) => attr.decl.ref?.name === "@relation");
+      if (!relationAttr) {
+        return true;
+      }
+      if (!relationAttr.args.some((arg) => arg.name === "fields")) {
+        return true;
+      }
+      return false;
+    })) {
+      accept("error", `non-owned relation fields are not allowed in "create" rules`, {
+        node: expr
+      });
+    }
   }
+  // TODO: design a way to let plugin register validation
   _checkFieldLevelPolicy(attr, accept) {
     const kind = getStringLiteral(attr.args[0]?.value);
     if (!kind) {
@@ -5693,7 +5735,6 @@ var AttributeApplicationValidator = class {
         });
       }
     }
-    this.rejectEncryptedFields(attr, accept);
   }
   _checkValidate(attr, accept) {
     const condition = attr.args[0]?.value;
@@ -5743,15 +5784,6 @@ var AttributeApplicationValidator = class {
       });
     }
   }
-  rejectEncryptedFields(attr, accept) {
-    AstUtils2.streamAllContents(attr).forEach((node) => {
-      if (isDataFieldReference(node) && hasAttribute(node.target.ref, "@encrypted")) {
-        accept("error", `Encrypted fields cannot be used in policy rules`, {
-          node
-        });
-      }
-    });
-  }
   validatePolicyKinds(kind, candidates, attr, accept) {
     const items = kind.split(",").map((x) => x.trim());
     items.forEach((item) => {
@@ -6565,11 +6597,11 @@ var ExpressionValidator = class {
             });
           }
           if (isDataFieldReference(expr.left) && (isThisExpr(expr.right) || isDataFieldReference(expr.right))) {
-            accept("error", "comparison between model-typed fields are not supported", {
+            accept("error", "comparison between models is not supported", {
               node: expr
             });
           } else if (isDataFieldReference(expr.right) && (isThisExpr(expr.left) || isDataFieldReference(expr.left))) {
-            accept("error", "comparison between model-typed fields are not supported", {
+            accept("error", "comparison between models is not supported", {
               node: expr
             });
           }